Rundl1.exe???

**The Rifleman** · July 9th, 2002, 10:28 PM

I found an executable file that does some virus-like activities and cannot find anything about the file.
RUNDL1.EXE
It's 13.5KB and loads when the screensaver kicks on. It uses up whatever CPU cycles aren't being used, and slows stuff to pretty close to being locked up (it takes about 4 minutes to come off of the screensaver back to the desktop). It also seems to cause network traffic, what I don't know. I disabled the file (moved from the Windows\System folder to the desktop and renamed).
Has anyone ever seen this file, or are there any programmers out there who would like to see it, who could possibly tell me what it does.
I searched SARC and couldn't find anything, I'm gonna email them tonight.

**The Rifleman** · July 9th, 2002, 10:37 PM

Oops, I forgot. When it was first installed it installed a startup parameter in the registry for a program called windl1. Everytime the machine would boot it would have an error message, I forget what exactly it was, some BS error like:

Runtime Error 204 (not correct, but something to that effect)

I used msconfig to disable the windl1 entry, and that got rid of the error at boot. But it still loaded and used 100% of the CPU time when the screensaver kicked on.

**geeksRus** · July 9th, 2002, 11:20 PM

scan for a virus...also run Adaware to see if it finds spyware. another thing to do is simply rename the offending file and see what happens...also run Regedit and remove any references to the file. (make a backup of the registry first).

**The Rifleman** · July 9th, 2002, 11:57 PM

I'm clean, I already got rid of all ill effects from it. No AV scanners detect it as a known virus.

I just wanna know what it is.

**Radical Dreamer** · July 10th, 2002, 08:21 AM

If the machine has kazaa on it, thats what it is...it has distributed computing built in to it so it uses all the unused cpu cycles. If not that then maybe its another distributed computing program such as the ones at distributed.net

**The Rifleman** · July 10th, 2002, 10:33 PM

This was not installed by any other programs, it has its own installer (probably just a bat2exe type thing), The size of the whole thing packaged up is 33.5k

SARC says it is not a virus, but they of course don't say what it is or what it does.

As I'm sure you're all aware, I hate not knowing.

Anyone willing to crack it open and have a look-see???

**Mope** · November 16th, 2002, 11:07 PM

Did you ever find out what it is? I found it (rather, kerio did) on my computer too. It doesn't use my clock cycles but does try to connect to http://clusterc.icq.com

<edit> I found a file called rundl1.dat in the same folder as rundl1.exe. This is what's inside:

ZAPRO.EXE
ZONEALARM.EXE
ZATUTOR.EXE
MINILOG.EXE
VSMON.EXE
LOCKDOWN.EXE
LOCKDOWN2000.EXE
VSSTAT.EXE
VSHWIN32.EXE
AVCONSOL.EXE
WEBSCANX.EXE
VSECOMR.EXE
VSMAIN.EXE
REGEDIT.EXE
DRWATSON.EXE
SYSEDIT.EXE
NETSTAT.EXE
MSCONFIG.EXE
NAVAPW32.EXE
ANTS.EXE
FAST.EXE
GUARD.EXE
UPDATE.EXE
AUTOUPDATE.EXE
TC.EXE
SPYXX.EXE
PVIEW95.EXE
NSCHED32.EXE
CLEANER.EXE
MOOLIVE.EXE
TCA.EXE
TCM.EXE
TDS-3.EXE
SS3EDIT.EXE
UPDATE.EXE
ANTI-TROJAN.EXE
ATCON.EXE
ATUPDATER.EXE
ATWATCH.EXE
WGFE95.EXE
POPROXY.EXE
NPROTECT.EXE
NDD32.EXE
MCAGENT.EXE
MCUPDATE.EXE
AVPCC.EXE
AVPM.EXE
WATCHDOG.EXE
TAUMON.EXE
IAMAPP.EXE
IAMSERV.EXE
SPHINX.EXE
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
AVP32.EXE
AVPCC.EXE
AVP.EXE
NAVAPW32.EXE
NAVW32.EXE
ICLOAD95.EXE
ICMON.EXE
ICSUPP95.EXE
ICLOADNT.EXE
ICSUPPNT.EXE
FRW.EXE
BLACKICE.EXE
BLACKD.EXE
WRCTRL.EXE
WRADMIN.EXE
WRCTRL.EXE
CLEANER3.EXE
PCFWALLICON.EXE
APLICA32.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET32.EXE
CFINET.EXE
TDS2-98.EXE
TDS2-NT.EXE
SAFEWEB.EXE
NVARCH16.EXE
MSSMMC32.EXE
PERSFW.EXE
LUALL.EXE
LUCOMSERVER.EXE
NAVW32.EXE
AVSYNMGR.EXE
TRJSCAN.EXE
DEFWATCH.EXE
RTVSCN95.EXE
VPC42.EXE
VPTRAY.EXE
PAVPROXY.EXE
APVXDWIN.EXE
AGENTSVR.EXE
FSAV.EXE
TASKMGR.EXE
DEFSCANGUI.EXE
SHEDAPP.EXE
AVGSERV9.EXE
CSS 1631.EXE
JAMMER.EXE
MONSYS32.EXE
AHNSD.EXE
MONSYSNT.EXE
CMGRDIAN.EXE
RULAUNCH.EXE
ALOGSERV.EXE
GBMENU.EXE
QSERVER.EXE
TAUMON.EXE
APVXDWIN.EXE
PAVPROXY.EXE
GBPOLL.EXE
VBCONS.EXE
VBCMSERV.EXE
PADMIN.EXE
NWTOOL16.EXE
NTVDM.EXE
CDP.EXE
GUARDDOG.EXE
AVGSERV9.EXE
OUTPOST.EXE

</edit>

**Mope** · November 17th, 2002, 03:38 AM

I found a trojan detector called The Cleaner at http://www.moosoft.com/thecleaner/

According to that program rundl1.exe is a trojan called Assassin.

**NooNoo** · November 17th, 2002, 08:49 AM

Thanks for the link Mope - I downloaded and ran it and it came up with this!

Should I forward it to GRC you think?

**Platypus** · November 17th, 2002, 09:15 AM

Hee hee, GRC are probably sick of being notified.

At least it shows the heuristics of the cleaner work & identify the Leaktest's "test trojan" behaviour.

That could make it a nasty target for a real trojan to hide in though, GRC might be wise to supply "genuine file" CRC info if the cleaner has a false alarm prevention register.

Thread: Rundl1.exe???

Thread Tools

Display

Rundl1.exe???

Bookmarks

Bookmarks

Posting Permissions